X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/98a4d31e52bd56c908617df281730bd4ba58d110..fef8173b8c3bad08f495551e43cfdeac1cae6021:/wp-admin/admin-ajax.php diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 7f04dd7d..d2a8d4d2 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -9,52 +9,84 @@ /** * Executing AJAX process. * - * @since unknown + * @since 2.1.0 */ define('DOING_AJAX', true); define('WP_ADMIN', true); +if ( ! isset( $_REQUEST['action'] ) ) + die('-1'); + require_once('../wp-load.php'); -require_once('includes/admin.php'); + +require_once('./includes/admin.php'); @header('Content-Type: text/html; charset=' . get_option('blog_charset')); +send_nosniff_header(); do_action('admin_init'); if ( ! is_user_logged_in() ) { - if ( $_POST['action'] == 'autosave' ) { + if ( isset( $_POST['action'] ) && $_POST['action'] == 'autosave' ) { $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0; if ( ! $id ) die('-1'); - $message = sprintf( __('ALERT: You are logged out! Could not save draft. Please log in again.'), wp_login_url() ); - $x = new WP_Ajax_Response( array( - 'what' => 'autosave', - 'id' => $id, - 'data' => $message - ) ); - $x->send(); + $message = sprintf( __('ALERT: You are logged out! Could not save draft. Please log in again.'), wp_login_url() ); + $x = new WP_Ajax_Response( array( + 'what' => 'autosave', + 'id' => $id, + 'data' => $message + ) ); + $x->send(); } - if ( !empty( $_POST['action']) ) - do_action( 'wp_ajax_nopriv_' . $_POST['action'] ); + if ( !empty( $_REQUEST['action'] ) ) + do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); die('-1'); } if ( isset( $_GET['action'] ) ) : switch ( $action = $_GET['action'] ) : -case 'ajax-tag-search' : - if ( !current_user_can( 'edit_posts' ) ) - die('-1'); +case 'fetch-list' : - $s = $_GET['q']; // is this slashed already? + $list_class = $_GET['list_args']['class']; + check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' ); - if ( isset($_GET['tax']) ) - $taxonomy = sanitize_title($_GET['tax']); - else + $current_screen = (object) $_GET['list_args']['screen']; + //TODO fix this in a better way see #15336 + $current_screen->is_network = 'false' === $current_screen->is_network ? false : true; + $current_screen->is_user = 'false' === $current_screen->is_user ? false : true; + + define( 'WP_NETWORK_ADMIN', $current_screen->is_network ); + define( 'WP_USER_ADMIN', $current_screen->is_user ); + + $wp_list_table = _get_list_table( $list_class ); + if ( ! $wp_list_table ) + die( '0' ); + + if ( ! $wp_list_table->ajax_user_can() ) + die( '-1' ); + + $wp_list_table->ajax_response(); + + die( '0' ); + break; +case 'ajax-tag-search' : + if ( isset( $_GET['tax'] ) ) { + $taxonomy = sanitize_key( $_GET['tax'] ); + $tax = get_taxonomy( $taxonomy ); + if ( ! $tax ) + die( '0' ); + if ( ! current_user_can( $tax->cap->assign_terms ) ) + die( '-1' ); + } else { die('0'); + } + + $s = stripslashes( $_GET['q'] ); if ( false !== strpos( $s, ',' ) ) { $s = explode( ',', $s ); @@ -64,7 +96,7 @@ case 'ajax-tag-search' : if ( strlen( $s ) < 2 ) die; // require 2 chars for matching - $results = $wpdb->get_col( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.name LIKE ('%" . $s . "%')" ); + $results = $wpdb->get_col( $wpdb->prepare( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = %s AND t.name LIKE (%s)", $taxonomy, '%' . like_escape( $s ) . '%' ) ); echo join( $results, "\n" ); die; @@ -91,10 +123,12 @@ case 'wp-compression-test' : echo $test_str; die; } elseif ( 2 == $_GET['test'] ) { - if ( false !== strpos( strtolower($_SERVER['HTTP_ACCEPT_ENCODING']), 'deflate') && function_exists('gzdeflate') && ! $force_gzip ) { + if ( !isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) + die('-1'); + if ( false !== stripos( $_SERVER['HTTP_ACCEPT_ENCODING'], 'deflate') && function_exists('gzdeflate') && ! $force_gzip ) { header('Content-Encoding: deflate'); $out = gzdeflate( $test_str, 1 ); - } elseif ( false !== strpos( strtolower($_SERVER['HTTP_ACCEPT_ENCODING']), 'gzip') && function_exists('gzencode') ) { + } elseif ( false !== stripos( $_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip') && function_exists('gzencode') ) { header('Content-Encoding: gzip'); $out = gzencode( $test_str, 1 ); } else { @@ -111,6 +145,33 @@ case 'wp-compression-test' : die('0'); break; +case 'imgedit-preview' : + $post_id = intval($_GET['postid']); + if ( empty($post_id) || !current_user_can('edit_post', $post_id) ) + die('-1'); + + check_ajax_referer( "image_editor-$post_id" ); + + include_once( ABSPATH . 'wp-admin/includes/image-edit.php' ); + if ( ! stream_preview_image($post_id) ) + die('-1'); + + die(); + break; +case 'menu-quick-search': + if ( ! current_user_can( 'edit_theme_options' ) ) + die('-1'); + + require_once ABSPATH . 'wp-admin/includes/nav-menu.php'; + + _wp_ajax_menu_quick_search( $_REQUEST ); + + exit; + break; +case 'oembed-cache' : + $return = ( $wp_embed->cache_oembed( $_GET['post'] ) ) ? '1' : '0'; + die( $return ); + break; default : do_action( 'wp_ajax_' . $_GET['action'] ); die('0'); @@ -128,7 +189,7 @@ endif; * @param int $comment_id * @return die */ -function _wp_ajax_delete_comment_response( $comment_id ) { +function _wp_ajax_delete_comment_response( $comment_id, $delta = -1 ) { $total = (int) @$_POST['_total']; $per_page = (int) @$_POST['_per_page']; $page = (int) @$_POST['_page']; @@ -137,40 +198,39 @@ function _wp_ajax_delete_comment_response( $comment_id ) { if ( !$total || !$per_page || !$page || !$url ) die( (string) time() ); - if ( --$total < 0 ) // Take the total from POST and decrement it (since we just deleted one) + $total += $delta; + if ( $total < 0 ) $total = 0; - if ( 0 != $total % $per_page && 1 != mt_rand( 1, $per_page ) ) // Only do the expensive stuff on a page-break, and about 1 other time per page - die( (string) time() ); + // Only do the expensive stuff on a page-break, and about 1 other time per page + if ( 0 == $total % $per_page || 1 == mt_rand( 1, $per_page ) ) { + $post_id = 0; + $status = 'total_comments'; // What type of comment count are we looking for? + $parsed = parse_url( $url ); + if ( isset( $parsed['query'] ) ) { + parse_str( $parsed['query'], $query_vars ); + if ( !empty( $query_vars['comment_status'] ) ) + $status = $query_vars['comment_status']; + if ( !empty( $query_vars['p'] ) ) + $post_id = (int) $query_vars['p']; + } - $status = 'total_comments'; // What type of comment count are we looking for? - $parsed = parse_url( $url ); - if ( isset( $parsed['query'] ) ) { - parse_str( $parsed['query'], $query_vars ); - if ( !empty( $query_vars['comment_status'] ) ) - $status = $query_vars['comment_status']; + $comment_count = wp_count_comments($post_id); + + if ( isset( $comment_count->$status ) ) // We're looking for a known type of comment count + $total = $comment_count->$status; + // else use the decremented value from above } - $comment_count = wp_count_comments(); $time = time(); // The time since the last comment count - if ( isset( $comment_count->$status ) ) // We're looking for a known type of comment count - $total = $comment_count->$status; - // else use the decremented value from above - - $page_links = paginate_links( array( - 'base' => add_query_arg( 'apage', '%#%', $url ), - 'format' => '', - 'prev_text' => __('«'), - 'next_text' => __('»'), - 'total' => ceil($total / $per_page), - 'current' => $page - ) ); $x = new WP_Ajax_Response( array( 'what' => 'comment', 'id' => $comment_id, // here for completeness - not used 'supplemental' => array( - 'pageLinks' => $page_links, + 'total_items_i18n' => sprintf( _n( '1 item', '%s items', $total ), number_format_i18n( $total ) ), + 'total_pages' => ceil( $total / $per_page ), + 'total_pages_i18n' => number_format_i18n( ceil( $total / $per_page ) ), 'total' => $total, 'time' => $time ) @@ -178,95 +238,145 @@ function _wp_ajax_delete_comment_response( $comment_id ) { $x->send(); } +function _wp_ajax_add_hierarchical_term() { + $action = $_POST['action']; + $taxonomy = get_taxonomy(substr($action, 4)); + check_ajax_referer( $action, '_ajax_nonce-add-' . $taxonomy->name ); + if ( !current_user_can( $taxonomy->cap->edit_terms ) ) + die('-1'); + $names = explode(',', $_POST['new'.$taxonomy->name]); + $parent = isset($_POST['new'.$taxonomy->name.'_parent']) ? (int) $_POST['new'.$taxonomy->name.'_parent'] : 0; + if ( 0 > $parent ) + $parent = 0; + if ( $taxonomy->name == 'category' ) + $post_category = isset($_POST['post_category']) ? (array) $_POST['post_category'] : array(); + else + $post_category = ( isset($_POST['tax_input']) && isset($_POST['tax_input'][$taxonomy->name]) ) ? (array) $_POST['tax_input'][$taxonomy->name] : array(); + $checked_categories = array_map( 'absint', (array) $post_category ); + $popular_ids = wp_popular_terms_checklist($taxonomy->name, 0, 10, false); + + foreach ( $names as $cat_name ) { + $cat_name = trim($cat_name); + $category_nicename = sanitize_title($cat_name); + if ( '' === $category_nicename ) + continue; + if ( !($cat_id = term_exists($cat_name, $taxonomy->name, $parent)) ) { + $new_term = wp_insert_term($cat_name, $taxonomy->name, array('parent' => $parent)); + $cat_id = $new_term['term_id']; + } + $checked_categories[] = $cat_id; + if ( $parent ) // Do these all at once in a second + continue; + $category = get_term( $cat_id, $taxonomy->name ); + ob_start(); + wp_terms_checklist( 0, array( 'taxonomy' => $taxonomy->name, 'descendants_and_self' => $cat_id, 'selected_cats' => $checked_categories, 'popular_cats' => $popular_ids )); + $data = ob_get_contents(); + ob_end_clean(); + $add = array( + 'what' => $taxonomy->name, + 'id' => $cat_id, + 'data' => str_replace( array("\n", "\t"), '', $data), + 'position' => -1 + ); + } + + if ( $parent ) { // Foncy - replace the parent and all its children + $parent = get_term( $parent, $taxonomy->name ); + $term_id = $parent->term_id; + + while ( $parent->parent ) { // get the top parent + $parent = &get_term( $parent->parent, $taxonomy->name ); + if ( is_wp_error( $parent ) ) + break; + $term_id = $parent->term_id; + } + + ob_start(); + wp_terms_checklist( 0, array('taxonomy' => $taxonomy->name, 'descendants_and_self' => $term_id, 'selected_cats' => $checked_categories, 'popular_cats' => $popular_ids)); + $data = ob_get_contents(); + ob_end_clean(); + $add = array( + 'what' => $taxonomy->name, + 'id' => $term_id, + 'data' => str_replace( array("\n", "\t"), '', $data), + 'position' => -1 + ); + } + + ob_start(); + wp_dropdown_categories( array( + 'taxonomy' => $taxonomy->name, 'hide_empty' => 0, 'name' => 'new'.$taxonomy->name.'_parent', 'orderby' => 'name', + 'hierarchical' => 1, 'show_option_none' => '— '.$taxonomy->labels->parent_item.' —' + ) ); + $sup = ob_get_contents(); + ob_end_clean(); + $add['supplemental'] = array( 'newcat_parent' => $sup ); + + $x = new WP_Ajax_Response( $add ); + $x->send(); +} + $id = isset($_POST['id'])? (int) $_POST['id'] : 0; switch ( $action = $_POST['action'] ) : case 'delete-comment' : // On success, die with time() instead of 1 - check_ajax_referer( "delete-comment_$id" ); if ( !$comment = get_comment( $id ) ) die( (string) time() ); if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) ) die('-1'); - if ( isset($_POST['spam']) && 1 == $_POST['spam'] ) { - if ( 'spam' == wp_get_comment_status( $comment->comment_ID ) ) + check_ajax_referer( "delete-comment_$id" ); + $status = wp_get_comment_status( $comment->comment_ID ); + + $delta = -1; + if ( isset($_POST['trash']) && 1 == $_POST['trash'] ) { + if ( 'trash' == $status ) die( (string) time() ); - $r = wp_set_comment_status( $comment->comment_ID, 'spam' ); - } else { + $r = wp_trash_comment( $comment->comment_ID ); + } elseif ( isset($_POST['untrash']) && 1 == $_POST['untrash'] ) { + if ( 'trash' != $status ) + die( (string) time() ); + $r = wp_untrash_comment( $comment->comment_ID ); + if ( ! isset( $_POST['comment_status'] ) || $_POST['comment_status'] != 'trash' ) // undo trash, not in trash + $delta = 1; + } elseif ( isset($_POST['spam']) && 1 == $_POST['spam'] ) { + if ( 'spam' == $status ) + die( (string) time() ); + $r = wp_spam_comment( $comment->comment_ID ); + } elseif ( isset($_POST['unspam']) && 1 == $_POST['unspam'] ) { + if ( 'spam' != $status ) + die( (string) time() ); + $r = wp_unspam_comment( $comment->comment_ID ); + if ( ! isset( $_POST['comment_status'] ) || $_POST['comment_status'] != 'spam' ) // undo spam, not in spam + $delta = 1; + } elseif ( isset($_POST['delete']) && 1 == $_POST['delete'] ) { $r = wp_delete_comment( $comment->comment_ID ); + } else { + die('-1'); } + if ( $r ) // Decide if we need to send back '1' or a more complicated response including page links and comment counts - _wp_ajax_delete_comment_response( $comment->comment_ID ); + _wp_ajax_delete_comment_response( $comment->comment_ID, $delta ); die( '0' ); break; -case 'delete-cat' : - check_ajax_referer( "delete-category_$id" ); - if ( !current_user_can( 'manage_categories' ) ) - die('-1'); +case 'delete-tag' : + $tag_id = (int) $_POST['tag_ID']; + check_ajax_referer( "delete-tag_$tag_id" ); - $cat = get_category( $id ); - if ( !$cat || is_wp_error( $cat ) ) - die('1'); + $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; + $tax = get_taxonomy($taxonomy); - if ( wp_delete_category( $id ) ) - die('1'); - else - die('0'); - break; -case 'delete-tag' : - check_ajax_referer( "delete-tag_$id" ); - if ( !current_user_can( 'manage_categories' ) ) + if ( !current_user_can( $tax->cap->delete_terms ) ) die('-1'); - if ( !empty($_POST['taxonomy']) ) - $taxonomy = $_POST['taxonomy']; - else - $taxonomy = 'post_tag'; - - $tag = get_term( $id, $taxonomy ); + $tag = get_term( $tag_id, $taxonomy ); if ( !$tag || is_wp_error( $tag ) ) die('1'); - if ( wp_delete_term($id, $taxonomy)) + if ( wp_delete_term($tag_id, $taxonomy)) die('1'); else die('0'); break; -case 'delete-link-cat' : - check_ajax_referer( "delete-link-category_$id" ); - if ( !current_user_can( 'manage_categories' ) ) - die('-1'); - - $cat = get_term( $id, 'link_category' ); - if ( !$cat || is_wp_error( $cat ) ) - die('1'); - - $cat_name = get_term_field('name', $id, 'link_category'); - - $default = get_option('default_link_category'); - - // Don't delete the default cats. - if ( $id == $default ) { - $x = new WP_AJAX_Response( array( - 'what' => 'link-cat', - 'id' => $id, - 'data' => new WP_Error( 'default-link-cat', sprintf(__("Can’t delete the %s category: this is the default one"), $cat_name) ) - ) ); - $x->send(); - } - - $r = wp_delete_term($id, 'link_category', array('default' => $default)); - if ( !$r ) - die('0'); - if ( is_wp_error($r) ) { - $x = new WP_AJAX_Response( array( - 'what' => 'link-cat', - 'id' => $id, - 'data' => $r - ) ); - $x->send(); - } - die('1'); - break; case 'delete-link' : check_ajax_referer( "delete-bookmark_$id" ); if ( !current_user_can( 'manage_links' ) ) @@ -305,6 +415,25 @@ case 'delete-post' : else die('0'); break; +case 'trash-post' : +case 'untrash-post' : + check_ajax_referer( "{$action}_$id" ); + if ( !current_user_can( 'delete_post', $id ) ) + die('-1'); + + if ( !get_post( $id ) ) + die('1'); + + if ( 'trash-post' == $action ) + $done = wp_trash_post( $id ); + else + $done = wp_untrash_post( $id ); + + if ( $done ) + die('1'); + + die('0'); + break; case 'delete-page' : check_ajax_referer( "{$action}_$id" ); if ( !current_user_can( 'delete_page', $id ) ) @@ -328,23 +457,19 @@ case 'dim-comment' : // On success, die with time() instead of 1 $x->send(); } - if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) ) - die('-1'); - if ( !current_user_can( 'moderate_comments' ) ) + if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) && !current_user_can( 'moderate_comments' ) ) die('-1'); $current = wp_get_comment_status( $comment->comment_ID ); if ( $_POST['new'] == $current ) die( (string) time() ); - $r = 0; - if ( in_array( $current, array( 'unapproved', 'spam' ) ) ) { - check_ajax_referer( "approve-comment_$id" ); + check_ajax_referer( "approve-comment_$id" ); + if ( in_array( $current, array( 'unapproved', 'spam' ) ) ) $result = wp_set_comment_status( $comment->comment_ID, 'approve', true ); - } else { - check_ajax_referer( "unapprove-comment_$id" ); + else $result = wp_set_comment_status( $comment->comment_ID, 'hold', true ); - } + if ( is_wp_error($result) ) { $x = new WP_Ajax_Response( array( 'what' => 'comment', @@ -357,58 +482,6 @@ case 'dim-comment' : // On success, die with time() instead of 1 _wp_ajax_delete_comment_response( $comment->comment_ID ); die( '0' ); break; -case 'add-category' : // On the Fly - check_ajax_referer( $action ); - if ( !current_user_can( 'manage_categories' ) ) - die('-1'); - $names = explode(',', $_POST['newcat']); - if ( 0 > $parent = (int) $_POST['newcat_parent'] ) - $parent = 0; - $post_category = isset($_POST['post_category'])? (array) $_POST['post_category'] : array(); - $checked_categories = array_map( 'absint', (array) $post_category ); - $popular_ids = isset( $_POST['popular_ids'] ) ? - array_map( 'absint', explode( ',', $_POST['popular_ids'] ) ) : - false; - - $x = new WP_Ajax_Response(); - foreach ( $names as $cat_name ) { - $cat_name = trim($cat_name); - $category_nicename = sanitize_title($cat_name); - if ( '' === $category_nicename ) - continue; - $cat_id = wp_create_category( $cat_name, $parent ); - $checked_categories[] = $cat_id; - if ( $parent ) // Do these all at once in a second - continue; - $category = get_category( $cat_id ); - ob_start(); - wp_category_checklist( 0, $cat_id, $checked_categories, $popular_ids ); - $data = ob_get_contents(); - ob_end_clean(); - $x->add( array( - 'what' => 'category', - 'id' => $cat_id, - 'data' => $data, - 'position' => -1 - ) ); - } - if ( $parent ) { // Foncy - replace the parent and all its children - $parent = get_category( $parent ); - ob_start(); - dropdown_categories( 0, $parent ); - $data = ob_get_contents(); - ob_end_clean(); - $x->add( array( - 'what' => 'category', - 'id' => $parent->term_id, - 'old_id' => $parent->term_id, - 'data' => $data, - 'position' => -1 - ) ); - - } - $x->send(); - break; case 'add-link-category' : // On the Fly check_ajax_referer( $action ); if ( !current_user_can( 'manage_categories' ) ) @@ -420,7 +493,7 @@ case 'add-link-category' : // On the Fly $slug = sanitize_title($cat_name); if ( '' === $slug ) continue; - if ( !$cat_id = is_term( $cat_name, 'link_category' ) ) { + if ( !$cat_id = term_exists( $cat_name, 'link_category' ) ) { $cat_id = wp_insert_term( $cat_name, 'link_category' ); } $cat_id = $cat_id['term_id']; @@ -434,153 +507,77 @@ case 'add-link-category' : // On the Fly } $x->send(); break; -case 'add-cat' : // From Manage->Categories - check_ajax_referer( 'add-category' ); - if ( !current_user_can( 'manage_categories' ) ) +case 'add-tag' : + check_ajax_referer( 'add-tag' ); + $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post'; + $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; + $tax = get_taxonomy($taxonomy); + + if ( !current_user_can( $tax->cap->edit_terms ) ) die('-1'); - if ( '' === trim($_POST['cat_name']) ) { - $x = new WP_Ajax_Response( array( - 'what' => 'cat', - 'id' => new WP_Error( 'cat_name', __('You did not enter a category name.') ) - ) ); - $x->send(); - } + $x = new WP_Ajax_Response(); - if ( category_exists( trim( $_POST['cat_name'] ), $_POST['category_parent'] ) ) { - $x = new WP_Ajax_Response( array( - 'what' => 'cat', - 'id' => new WP_Error( 'cat_exists', __('The category you are trying to create already exists.'), array( 'form-field' => 'cat_name' ) ), - ) ); - $x->send(); - } + $tag = wp_insert_term($_POST['tag-name'], $taxonomy, $_POST ); - $cat = wp_insert_category( $_POST, true ); + if ( !$tag || is_wp_error($tag) || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) { + $message = __('An error has occurred. Please reload the page and try again.'); + if ( is_wp_error($tag) && $tag->get_error_message() ) + $message = $tag->get_error_message(); - if ( is_wp_error($cat) ) { - $x = new WP_Ajax_Response( array( - 'what' => 'cat', - 'id' => $cat + $x->add( array( + 'what' => 'taxonomy', + 'data' => new WP_Error('error', $message ) ) ); $x->send(); } - if ( !$cat || (!$cat = get_category( $cat )) ) - die('0'); + set_current_screen( $_POST['screen'] ); - $level = 0; - $cat_full_name = $cat->name; - $_cat = $cat; - while ( $_cat->parent ) { - $_cat = get_category( $_cat->parent ); - $cat_full_name = $_cat->name . ' — ' . $cat_full_name; - $level++; - } - $cat_full_name = esc_attr($cat_full_name); + $wp_list_table = _get_list_table('WP_Terms_List_Table'); - $x = new WP_Ajax_Response( array( - 'what' => 'cat', - 'id' => $cat->term_id, - 'position' => -1, - 'data' => _cat_row( $cat, $level, $cat_full_name ), - 'supplemental' => array('name' => $cat_full_name, 'show-link' => sprintf(__( 'Category %s added' ), "cat-$cat->term_id", $cat_full_name)) - ) ); - $x->send(); - break; -case 'add-link-cat' : // From Blogroll -> Categories - check_ajax_referer( 'add-link-category' ); - if ( !current_user_can( 'manage_categories' ) ) - die('-1'); - - if ( '' === trim($_POST['name']) ) { - $x = new WP_Ajax_Response( array( - 'what' => 'link-cat', - 'id' => new WP_Error( 'name', __('You did not enter a category name.') ) - ) ); - $x->send(); - } - - $r = wp_insert_term($_POST['name'], 'link_category', $_POST ); - if ( is_wp_error( $r ) ) { - $x = new WP_AJAX_Response( array( - 'what' => 'link-cat', - 'id' => $r - ) ); - $x->send(); + $level = 0; + if ( is_taxonomy_hierarchical($taxonomy) ) { + $level = count( get_ancestors( $tag->term_id, $taxonomy ) ); + ob_start(); + $wp_list_table->single_row( $tag, $level ); + $noparents = ob_get_clean(); } - extract($r, EXTR_SKIP); - - if ( !$link_cat = link_cat_row( $term_id ) ) - die('0'); - - $x = new WP_Ajax_Response( array( - 'what' => 'link-cat', - 'id' => $term_id, - 'position' => -1, - 'data' => $link_cat - ) ); - $x->send(); - break; -case 'add-tag' : // From Manage->Tags - check_ajax_referer( 'add-tag' ); - if ( !current_user_can( 'manage_categories' ) ) - die('-1'); + ob_start(); + $wp_list_table->single_row( $tag ); + $parents = ob_get_clean(); - if ( '' === trim($_POST['name']) ) { - $x = new WP_Ajax_Response( array( - 'what' => 'tag', - 'id' => new WP_Error( 'name', __('You did not enter a tag name.') ) + $x->add( array( + 'what' => 'taxonomy', + 'supplemental' => compact('parents', 'noparents') ) ); - $x->send(); - } - - if ( !empty($_POST['taxonomy']) ) - $taxonomy = $_POST['taxonomy']; - else - $taxonomy = 'post_tag'; - - $tag = wp_insert_term($_POST['name'], $taxonomy, $_POST ); - - if ( is_wp_error($tag) ) { - $x = new WP_Ajax_Response( array( - 'what' => 'tag', - 'id' => $tag + $x->add( array( + 'what' => 'term', + 'position' => $level, + 'supplemental' => (array) $tag ) ); - $x->send(); - } - - if ( !$tag || (!$tag = get_term( $tag['term_id'], $taxonomy )) ) - die('0'); - - $tag_full_name = $tag->name; - $tag_full_name = esc_attr($tag_full_name); - - $x = new WP_Ajax_Response( array( - 'what' => 'tag', - 'id' => $tag->term_id, - 'position' => '-1', - 'data' => _tag_row( $tag, '', $taxonomy ), - 'supplemental' => array('name' => $tag_full_name, 'show-link' => sprintf(__( 'Tag %s added' ), "tag-$tag->term_id", $tag_full_name)) - ) ); $x->send(); break; case 'get-tagcloud' : - if ( !current_user_can( 'edit_posts' ) ) - die('-1'); - - if ( isset($_POST['tax']) ) - $taxonomy = sanitize_title($_POST['tax']); - else + if ( isset( $_POST['tax'] ) ) { + $taxonomy = sanitize_key( $_POST['tax'] ); + $tax = get_taxonomy( $taxonomy ); + if ( ! $tax ) + die( '0' ); + if ( ! current_user_can( $tax->cap->assign_terms ) ) + die( '-1' ); + } else { die('0'); + } $tags = get_terms( $taxonomy, array( 'number' => 45, 'orderby' => 'count', 'order' => 'DESC' ) ); if ( empty( $tags ) ) - die( __('No tags found!') ); + die( isset( $tax->no_tagcloud ) ? $tax->no_tagcloud : __('No tags found!') ); - if ( is_wp_error($tags) ) - die($tags->get_error_message()); + if ( is_wp_error( $tags ) ) + die( $tags->get_error_message() ); foreach ( $tags as $key => $tag ) { $tags[ $key ]->link = '#'; @@ -597,63 +594,27 @@ case 'get-tagcloud' : exit; break; -case 'add-comment' : - check_ajax_referer( $action ); - if ( !current_user_can( 'edit_post', $id ) ) - die('-1'); - $search = isset($_POST['s']) ? $_POST['s'] : false; - $status = isset($_POST['comment_status']) ? $_POST['comment_status'] : 'all'; - $per_page = isset($_POST['per_page']) ? (int) $_POST['per_page'] + 8 : 28; - $start = isset($_POST['page']) ? ( intval($_POST['page']) * $per_page ) -1 : $per_page - 1; - if ( 1 > $start ) - $start = 27; - - $mode = isset($_POST['mode']) ? $_POST['mode'] : 'detail'; - $p = isset($_POST['p']) ? $_POST['p'] : 0; - $comment_type = isset($_POST['comment_type']) ? $_POST['comment_type'] : ''; - list($comments, $total) = _wp_get_comment_list( $status, $search, $start, 1, $p, $comment_type ); - - if ( get_option('show_avatars') ) - add_filter( 'comment_author', 'floated_admin_avatar' ); - - if ( !$comments ) - die('1'); - $x = new WP_Ajax_Response(); - foreach ( (array) $comments as $comment ) { - get_comment( $comment ); - ob_start(); - _wp_comment_row( $comment->comment_ID, $mode, $status, true, true ); - $comment_list_item = ob_get_contents(); - ob_end_clean(); - $x->add( array( - 'what' => 'comment', - 'id' => $comment->comment_ID, - 'data' => $comment_list_item - ) ); - } - $x->send(); - break; case 'get-comments' : check_ajax_referer( $action ); - $post_ID = (int) $_POST['post_ID']; - if ( !current_user_can( 'edit_post', $post_ID ) ) - die('-1'); + set_current_screen( 'edit-comments' ); + + $wp_list_table = _get_list_table('WP_Post_Comments_List_Table'); - $start = isset($_POST['start']) ? intval($_POST['start']) : 0; - $num = isset($_POST['num']) ? intval($_POST['num']) : 10; + if ( !current_user_can( 'edit_post', $post_id ) ) + die('-1'); - list($comments, $total) = _wp_get_comment_list( false, false, $start, $num, $post_ID ); + $wp_list_table->prepare_items(); - if ( !$comments ) + if ( !$wp_list_table->has_items() ) die('1'); $comment_list_item = ''; $x = new WP_Ajax_Response(); - foreach ( (array) $comments as $comment ) { + foreach ( $wp_list_table->items as $comment ) { get_comment( $comment ); ob_start(); - _wp_comment_row( $comment->comment_ID, 'single', false, false ); + $wp_list_table->single_row( $comment ); $comment_list_item .= ob_get_contents(); ob_end_clean(); } @@ -664,7 +625,9 @@ case 'get-comments' : $x->send(); break; case 'replyto-comment' : - check_ajax_referer( $action ); + check_ajax_referer( $action, '_ajax_nonce-replyto-comment' ); + + set_current_screen( 'edit-comments' ); $comment_post_ID = (int) $_POST['comment_post_ID']; if ( !current_user_can( 'edit_post', $comment_post_ID ) ) @@ -674,7 +637,7 @@ case 'replyto-comment' : if ( empty($status) ) die('1'); - elseif ( in_array($status, array('draft', 'pending') ) ) + elseif ( in_array($status, array('draft', 'pending', 'trash') ) ) die( __('Error: you are replying to a comment on a draft post.') ); $user = wp_get_current_user(); @@ -703,22 +666,21 @@ case 'replyto-comment' : $comment = get_comment($comment_id); if ( ! $comment ) die('1'); - $modes = array( 'single', 'detail', 'dashboard' ); - $mode = isset($_POST['mode']) && in_array( $_POST['mode'], $modes ) ? $_POST['mode'] : 'detail'; $position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1'; - $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0; - - if ( get_option('show_avatars') && 'single' != $mode ) - add_filter( 'comment_author', 'floated_admin_avatar' ); $x = new WP_Ajax_Response(); ob_start(); - if ( 'dashboard' == $mode ) { + if ( 'dashboard' == $_REQUEST['mode'] ) { require_once( ABSPATH . 'wp-admin/includes/dashboard.php' ); - _wp_dashboard_recent_comments_row( $comment, false ); + _wp_dashboard_recent_comments_row( $comment ); } else { - _wp_comment_row( $comment->comment_ID, $mode, false, $checkbox ); + if ( 'single' == $_REQUEST['mode'] ) { + $wp_list_table = _get_list_table('WP_Post_Comments_List_Table'); + } else { + $wp_list_table = _get_list_table('WP_Comments_List_Table'); + } + $wp_list_table->single_row( $comment ); } $comment_list_item = ob_get_contents(); ob_end_clean(); @@ -733,7 +695,9 @@ case 'replyto-comment' : $x->send(); break; case 'edit-comment' : - check_ajax_referer( 'replyto-comment' ); + check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ); + + set_current_screen( 'edit-comments' ); $comment_post_ID = (int) $_POST['comment_post_ID']; if ( ! current_user_can( 'edit_post', $comment_post_ID ) ) @@ -746,21 +710,19 @@ case 'edit-comment' : $_POST['comment_status'] = $_POST['status']; edit_comment(); - $mode = ( isset($_POST['mode']) && 'single' == $_POST['mode'] ) ? 'single' : 'detail'; $position = ( isset($_POST['position']) && (int) $_POST['position']) ? (int) $_POST['position'] : '-1'; - $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0; - $comments_listing = isset($_POST['comments_listing']) ? $_POST['comments_listing'] : ''; - - if ( get_option('show_avatars') && 'single' != $mode ) - add_filter( 'comment_author', 'floated_admin_avatar' ); + $comments_status = isset($_POST['comments_listing']) ? $_POST['comments_listing'] : ''; - $x = new WP_Ajax_Response(); + $checkbox = ( isset($_POST['checkbox']) && true == $_POST['checkbox'] ) ? 1 : 0; + $wp_list_table = _get_list_table( $checkbox ? 'WP_Comments_List_Table' : 'WP_Post_Comments_List_Table' ); ob_start(); - _wp_comment_row( $comment_id, $mode, $comments_listing, $checkbox ); + $wp_list_table->single_row( get_comment( $comment_id ) ); $comment_list_item = ob_get_contents(); ob_end_clean(); + $x = new WP_Ajax_Response(); + $x->add( array( 'what' => 'edit_comment', 'id' => $comment->comment_ID, @@ -770,20 +732,90 @@ case 'edit-comment' : $x->send(); break; +case 'add-menu-item' : + if ( ! current_user_can( 'edit_theme_options' ) ) + die('-1'); + + check_ajax_referer( 'add-menu_item', 'menu-settings-column-nonce' ); + + require_once ABSPATH . 'wp-admin/includes/nav-menu.php'; + + // For performance reasons, we omit some object properties from the checklist. + // The following is a hacky way to restore them when adding non-custom items. + + $menu_items_data = array(); + foreach ( (array) $_POST['menu-item'] as $menu_item_data ) { + if ( + ! empty( $menu_item_data['menu-item-type'] ) && + 'custom' != $menu_item_data['menu-item-type'] && + ! empty( $menu_item_data['menu-item-object-id'] ) + ) { + switch( $menu_item_data['menu-item-type'] ) { + case 'post_type' : + $_object = get_post( $menu_item_data['menu-item-object-id'] ); + break; + + case 'taxonomy' : + $_object = get_term( $menu_item_data['menu-item-object-id'], $menu_item_data['menu-item-object'] ); + break; + } + + $_menu_items = array_map( 'wp_setup_nav_menu_item', array( $_object ) ); + $_menu_item = array_shift( $_menu_items ); + + // Restore the missing menu item properties + $menu_item_data['menu-item-description'] = $_menu_item->description; + } + + $menu_items_data[] = $menu_item_data; + } + + $item_ids = wp_save_nav_menu_items( 0, $menu_items_data ); + if ( is_wp_error( $item_ids ) ) + die('-1'); + + foreach ( (array) $item_ids as $menu_item_id ) { + $menu_obj = get_post( $menu_item_id ); + if ( ! empty( $menu_obj->ID ) ) { + $menu_obj = wp_setup_nav_menu_item( $menu_obj ); + $menu_obj->label = $menu_obj->title; // don't show "(pending)" in ajax-added items + $menu_items[] = $menu_obj; + } + } + + if ( ! empty( $menu_items ) ) { + $args = array( + 'after' => '', + 'before' => '', + 'link_after' => '', + 'link_before' => '', + 'walker' => new Walker_Nav_Menu_Edit, + ); + echo walk_nav_menu_tree( $menu_items, 0, (object) $args ); + } + break; case 'add-meta' : - check_ajax_referer( 'add-meta' ); + check_ajax_referer( 'add-meta', '_ajax_nonce-add-meta' ); $c = 0; $pid = (int) $_POST['post_id']; + $post = get_post( $pid ); + if ( isset($_POST['metakeyselect']) || isset($_POST['metakeyinput']) ) { if ( !current_user_can( 'edit_post', $pid ) ) die('-1'); if ( isset($_POST['metakeyselect']) && '#NONE#' == $_POST['metakeyselect'] && empty($_POST['metakeyinput']) ) die('1'); - if ( $pid < 0 ) { + if ( $post->post_status == 'auto-draft' ) { + $save_POST = $_POST; // Backup $_POST + $_POST = array(); // Make it empty for edit_post() + $_POST['action'] = 'draft'; // Warning fix + $_POST['post_ID'] = $pid; + $_POST['post_type'] = $post->post_type; + $_POST['post_status'] = 'draft'; $now = current_time('timestamp', 1); - if ( $pid = wp_insert_post( array( - 'post_title' => sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now)) - ) ) ) { + $_POST['post_title'] = sprintf('Draft created on %s at %s', date(get_option('date_format'), $now), date(get_option('time_format'), $now)); + + if ( $pid = edit_post() ) { if ( is_wp_error( $pid ) ) { $x = new WP_Ajax_Response( array( 'what' => 'meta', @@ -791,6 +823,7 @@ case 'add-meta' : ) ); $x->send(); } + $_POST = $save_POST; // Now we can restore original $_POST again if ( !$mid = add_meta( $pid ) ) die(__('Please provide a custom field value.')); } else { @@ -810,15 +843,19 @@ case 'add-meta' : 'position' => 1, 'supplemental' => array('postid' => $pid) ) ); - } else { - $mid = (int) array_pop(array_keys($_POST['meta'])); + } else { // Update? + $mid = (int) array_pop( $var_by_ref = array_keys($_POST['meta']) ); $key = $_POST['meta'][$mid]['key']; $value = $_POST['meta'][$mid]['value']; + if ( '' == trim($key) ) + die(__('Please provide a custom field name.')); + if ( '' == trim($value) ) + die(__('Please provide a custom field value.')); if ( !$meta = get_post_meta_by_id( $mid ) ) die('0'); // if meta doesn't exist if ( !current_user_can( 'edit_post', $meta->post_id ) ) die('-1'); - if ( $meta->meta_value != stripslashes($value) ) { + if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) { if ( !$u = update_meta( $mid, $key, $value ) ) die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems). } @@ -843,7 +880,6 @@ case 'add-user' : check_ajax_referer( $action ); if ( !current_user_can('create_users') ) die('-1'); - require_once(ABSPATH . WPINC . '/registration.php'); if ( !$user_id = add_user() ) die('0'); elseif ( is_wp_error( $user_id ) ) { @@ -855,10 +891,12 @@ case 'add-user' : } $user_object = new WP_User( $user_id ); + $wp_list_table = _get_list_table('WP_Users_List_Table'); + $x = new WP_Ajax_Response( array( 'what' => 'user', 'id' => $user_id, - 'data' => user_row( $user_object, '', $user_object->roles[0] ), + 'data' => $wp_list_table->single_row( $user_object, '', $user_object->roles[0] ), 'supplemental' => array( 'show-link' => sprintf(__( 'User %s added' ), "user-$user_id", $user_object->user_login), 'role' => $user_object->roles[0] @@ -870,10 +908,9 @@ case 'autosave' : // The name of this action is hardcoded in edit_post() define( 'DOING_AUTOSAVE', true ); $nonce_age = check_ajax_referer( 'autosave', 'autosavenonce' ); - global $current_user; $_POST['post_category'] = explode(",", $_POST['catslist']); - if($_POST['post_type'] == 'page' || empty($_POST['post_category'])) + if ( $_POST['post_type'] == 'page' || empty($_POST['post_category']) ) unset($_POST['post_category']); $do_autosave = (bool) $_POST['autosave']; @@ -882,62 +919,62 @@ case 'autosave' : // The name of this action is hardcoded in edit_post() $data = ''; /* translators: draft saved date format, see http://php.net/date */ $draft_saved_date_format = __('g:i:s a'); - $message = sprintf( __('Draft Saved at %s.'), date_i18n( $draft_saved_date_format ) ); + /* translators: %s: date and time */ + $message = sprintf( __('Draft saved at %s.'), date_i18n( $draft_saved_date_format ) ); $supplemental = array(); + if ( isset($login_grace_period) ) + $supplemental['session_expired'] = add_query_arg( 'interim-login', 1, wp_login_url() ); $id = $revision_id = 0; - if($_POST['post_ID'] < 0) { + + $post_ID = (int) $_POST['post_ID']; + $_POST['ID'] = $post_ID; + $post = get_post($post_ID); + if ( 'auto-draft' == $post->post_status ) $_POST['post_status'] = 'draft'; - $_POST['temp_ID'] = $_POST['post_ID']; - if ( $do_autosave ) { - $id = wp_write_post(); - $data = $message; - } - } else { - $post_ID = (int) $_POST['post_ID']; - $_POST['ID'] = $post_ID; - $post = get_post($post_ID); - if ( $last = wp_check_post_lock( $post->ID ) ) { - $do_autosave = $do_lock = false; + if ( $last = wp_check_post_lock( $post->ID ) ) { + $do_autosave = $do_lock = false; - $last_user = get_userdata( $last ); - $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); - $data = new WP_Error( 'locked', sprintf( - $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ), - esc_html( $last_user_name ) - ) ); + $last_user = get_userdata( $last ); + $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); + $data = new WP_Error( 'locked', sprintf( + $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ), + esc_html( $last_user_name ) + ) ); - $supplemental['disable_autosave'] = 'disable'; - } + $supplemental['disable_autosave'] = 'disable'; + } - if ( 'page' == $post->post_type ) { - if ( !current_user_can('edit_page', $post_ID) ) - die(__('You are not allowed to edit this page.')); - } else { - if ( !current_user_can('edit_post', $post_ID) ) - die(__('You are not allowed to edit this post.')); - } + if ( 'page' == $post->post_type ) { + if ( !current_user_can('edit_page', $post_ID) ) + die(__('You are not allowed to edit this page.')); + } else { + if ( !current_user_can('edit_post', $post_ID) ) + die(__('You are not allowed to edit this post.')); + } - if ( $do_autosave ) { - // Drafts are just overwritten by autosave - if ( 'draft' == $post->post_status ) { - $id = edit_post(); - } else { // Non drafts are not overwritten. The autosave is stored in a special post revision. - $revision_id = wp_create_post_autosave( $post->ID ); - if ( is_wp_error($revision_id) ) - $id = $revision_id; - else - $id = $post->ID; - } - $data = $message; - } else { - $id = $post->ID; + if ( $do_autosave ) { + // Drafts and auto-drafts are just overwritten by autosave + if ( 'auto-draft' == $post->post_status || 'draft' == $post->post_status ) { + $id = edit_post(); + } else { // Non drafts are not overwritten. The autosave is stored in a special post revision. + $revision_id = wp_create_post_autosave( $post->ID ); + if ( is_wp_error($revision_id) ) + $id = $revision_id; + else + $id = $post->ID; } + $data = $message; + } else { + if ( isset( $_POST['auto_draft'] ) && '1' == $_POST['auto_draft'] ) + $id = 0; // This tells us it didn't actually save + else + $id = $post->ID; } - if ( $do_lock && $id && is_numeric($id) ) + if ( $do_lock && ( isset( $_POST['auto_draft'] ) && ( $_POST['auto_draft'] != '1' ) ) && $id && is_numeric($id) ) wp_set_post_lock( $id ); if ( $nonce_age == 2 ) { @@ -961,26 +998,14 @@ case 'autosave' : // The name of this action is hardcoded in edit_post() ) ); $x->send(); break; -case 'autosave-generate-nonces' : - check_ajax_referer( 'autosave', 'autosavenonce' ); - $ID = (int) $_POST['post_ID']; - if($_POST['post_type'] == 'post') { - if(current_user_can('edit_post', $ID)) - die(wp_create_nonce('update-post_' . $ID)); - } - if($_POST['post_type'] == 'page') { - if(current_user_can('edit_page', $ID)) { - die(wp_create_nonce('update-page_' . $ID)); - } - } - die('0'); -break; case 'closed-postboxes' : check_ajax_referer( 'closedpostboxes', 'closedpostboxesnonce' ); - $closed = isset( $_POST['closed'] ) ? $_POST['closed'] : ''; - $closed = explode( ',', $_POST['closed'] ); - $hidden = isset( $_POST['hidden'] ) ? $_POST['hidden'] : ''; - $hidden = explode( ',', $_POST['hidden'] ); + $closed = isset( $_POST['closed'] ) ? explode( ',', $_POST['closed']) : array(); + $closed = array_filter($closed); + + $hidden = isset( $_POST['hidden'] ) ? explode( ',', $_POST['hidden']) : array(); + $hidden = array_filter($hidden); + $page = isset( $_POST['page'] ) ? $_POST['page'] : ''; if ( !preg_match( '/^[a-z_-]+$/', $page ) ) @@ -990,11 +1015,11 @@ case 'closed-postboxes' : die('-1'); if ( is_array($closed) ) - update_usermeta($user->ID, 'closedpostboxes_'.$page, $closed); + update_user_option($user->ID, "closedpostboxes_$page", $closed, true); if ( is_array($hidden) ) { - $hidden = array_diff( $hidden, array('submitdiv', 'pagesubmitdiv', 'linksubmitdiv') ); // postboxes that are always shown - update_usermeta($user->ID, 'meta-box-hidden_'.$page, $hidden); + $hidden = array_diff( $hidden, array('submitdiv', 'linksubmitdiv', 'manage-menu', 'create-menu') ); // postboxes that are always shown + update_user_option($user->ID, "metaboxhidden_$page", $hidden, true); } die('1'); @@ -1012,8 +1037,87 @@ case 'hidden-columns' : die('-1'); if ( is_array($hidden) ) - update_usermeta($user->ID, "manage-$page-columns-hidden", $hidden); + update_user_option($user->ID, "manage{$page}columnshidden", $hidden, true); + die('1'); + break; +case 'menu-get-metabox' : + if ( ! current_user_can( 'edit_theme_options' ) ) + die('-1'); + + require_once ABSPATH . 'wp-admin/includes/nav-menu.php'; + + if ( isset( $_POST['item-type'] ) && 'post_type' == $_POST['item-type'] ) { + $type = 'posttype'; + $callback = 'wp_nav_menu_item_post_type_meta_box'; + $items = (array) get_post_types( array( 'show_in_nav_menus' => true ), 'object' ); + } elseif ( isset( $_POST['item-type'] ) && 'taxonomy' == $_POST['item-type'] ) { + $type = 'taxonomy'; + $callback = 'wp_nav_menu_item_taxonomy_meta_box'; + $items = (array) get_taxonomies( array( 'show_ui' => true ), 'object' ); + } + + if ( ! empty( $_POST['item-object'] ) && isset( $items[$_POST['item-object']] ) ) { + $item = apply_filters( 'nav_menu_meta_box_object', $items[ $_POST['item-object'] ] ); + ob_start(); + call_user_func_array($callback, array( + null, + array( + 'id' => 'add-' . $item->name, + 'title' => $item->labels->name, + 'callback' => $callback, + 'args' => $item, + ) + )); + + $markup = ob_get_clean(); + + echo json_encode(array( + 'replace-id' => $type . '-' . $item->name, + 'markup' => $markup, + )); + } + + exit; + break; +case 'menu-quick-search': + if ( ! current_user_can( 'edit_theme_options' ) ) + die('-1'); + + require_once ABSPATH . 'wp-admin/includes/nav-menu.php'; + + _wp_ajax_menu_quick_search( $_REQUEST ); + + exit; + break; +case 'wp-link-ajax': + require_once ABSPATH . 'wp-admin/includes/internal-linking.php'; + + check_ajax_referer( 'internal-linking', '_ajax_linking_nonce' ); + + $args = array(); + + if ( isset( $_POST['search'] ) ) + $args['s'] = stripslashes( $_POST['search'] ); + $args['pagenum'] = ! empty( $_POST['page'] ) ? absint( $_POST['page'] ) : 1; + + $results = wp_link_query( $args ); + + if ( ! isset( $results ) ) + die( '0' ); + + echo json_encode( $results ); + echo "\n"; + + exit; + break; +case 'menu-locations-save': + if ( ! current_user_can( 'edit_theme_options' ) ) + die('-1'); + check_ajax_referer( 'add-menu_item', 'menu-settings-column-nonce' ); + if ( ! isset( $_POST['menu-locations'] ) ) + die('0'); + set_theme_mod( 'nav_menu_locations', array_map( 'absint', $_POST['menu-locations'] ) ); die('1'); break; case 'meta-box-order': @@ -1029,10 +1133,10 @@ case 'meta-box-order': die('-1'); if ( $order ) - update_user_option($user->ID, "meta-box-order_$page", $order); + update_user_option($user->ID, "meta-box-order_$page", $order, true); if ( $page_columns ) - update_usermeta($user->ID, "screen_layout_$page", $page_columns); + update_user_option($user->ID, "screen_layout_$page", $page_columns, true); die('1'); break; @@ -1045,7 +1149,7 @@ case 'sample-permalink': check_ajax_referer( 'samplepermalink', 'samplepermalinknonce' ); $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0; $title = isset($_POST['new_title'])? $_POST['new_title'] : ''; - $slug = isset($_POST['new_slug'])? $_POST['new_slug'] : ''; + $slug = isset($_POST['new_slug'])? $_POST['new_slug'] : null; die(get_sample_permalink_html($post_id, $title, $slug)); break; case 'inline-save': @@ -1062,6 +1166,8 @@ case 'inline-save': die( __('You are not allowed to edit this post.') ); } + set_current_screen( $_POST['screen'] ); + if ( $last = wp_check_post_lock( $post_ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); @@ -1097,77 +1203,48 @@ case 'inline-save': // update the post edit_post(); - $post = array(); - if ( 'page' == $_POST['post_type'] ) { - $post[] = get_post($_POST['post_ID']); - page_rows($post); - } elseif ( 'post' == $_POST['post_type'] ) { - $mode = $_POST['post_view']; - $post[] = get_post($_POST['post_ID']); - post_rows($post); - } + $wp_list_table = _get_list_table('WP_Posts_List_Table'); + + $mode = $_POST['post_view']; + $wp_list_table->display_rows( array( get_post( $_POST['post_ID'] ) ) ); exit; break; case 'inline-save-tax': check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' ); - if ( ! current_user_can('manage_categories') ) - die( __('Cheatin’ uh?') ); - - if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) - die(-1); - - switch ($_POST['tax_type']) { - case 'cat' : - $data = array(); - $data['cat_ID'] = $id; - $data['cat_name'] = $_POST['name']; - $data['category_nicename'] = $_POST['slug']; - if ( isset($_POST['parent']) && (int) $_POST['parent'] > 0 ) - $data['category_parent'] = $_POST['parent']; - - $cat = get_category($id, ARRAY_A); - $data['category_description'] = $cat['category_description']; + $taxonomy = sanitize_key( $_POST['taxonomy'] ); + $tax = get_taxonomy( $taxonomy ); + if ( ! $tax ) + die( '0' ); - $updated = wp_update_category($data); - - if ( $updated && !is_wp_error($updated) ) - echo _cat_row( $updated, 0 ); - else - die( __('Category not updated.') ); - - break; - case 'link-cat' : - $updated = wp_update_term($id, 'link_category', $_POST); - - if ( $updated && !is_wp_error($updated) ) - echo link_cat_row($updated['term_id']); - else - die( __('Category not updated.') ); + if ( ! current_user_can( $tax->cap->edit_terms ) ) + die( '-1' ); - break; - case 'tag' : - if ( !empty($_POST['taxonomy']) ) - $taxonomy = $_POST['taxonomy']; - else - $taxonomy = 'post_tag'; + set_current_screen( 'edit-' . $taxonomy ); - $tag = get_term( $id, $taxonomy ); - $_POST['description'] = $tag->description; + $wp_list_table = _get_list_table('WP_Terms_List_Table'); - $updated = wp_update_term($id, $taxonomy, $_POST); - if ( $updated && !is_wp_error($updated) ) { - $tag = get_term( $updated['term_id'], $taxonomy ); - if ( !$tag || is_wp_error( $tag ) ) - die( __('Tag not updated.') ); + if ( ! isset($_POST['tax_ID']) || ! ( $id = (int) $_POST['tax_ID'] ) ) + die(-1); - echo _tag_row($tag); - } else { - die( __('Tag not updated.') ); - } + $tag = get_term( $id, $taxonomy ); + $_POST['description'] = $tag->description; + + $updated = wp_update_term($id, $taxonomy, $_POST); + if ( $updated && !is_wp_error($updated) ) { + $tag = get_term( $updated['term_id'], $taxonomy ); + if ( !$tag || is_wp_error( $tag ) ) { + if ( is_wp_error($tag) && $tag->get_error_message() ) + die( $tag->get_error_message() ); + die( __('Item not updated.') ); + } - break; + echo $wp_list_table->single_row( $tag ); + } else { + if ( is_wp_error($updated) && $updated->get_error_message() ) + die( $updated->get_error_message() ); + die( __('Item not updated.') ); } exit; @@ -1178,27 +1255,33 @@ case 'find_posts': if ( empty($_POST['ps']) ) exit; - $what = isset($_POST['pages']) ? 'page' : 'post'; + if ( !empty($_POST['post_type']) && in_array( $_POST['post_type'], get_post_types() ) ) + $what = $_POST['post_type']; + else + $what = 'post'; + $s = stripslashes($_POST['ps']); preg_match_all('/".*?("|$)|((?<=[\\s",+])|^)[^\\s",+]+/', $s, $matches); - $search_terms = array_map(create_function('$a', 'return trim($a, "\\"\'\\n\\r ");'), $matches[0]); + $search_terms = array_map('_search_terms_tidy', $matches[0]); $searchand = $search = ''; - foreach( (array) $search_terms as $term) { - $term = addslashes_gpc($term); + foreach ( (array) $search_terms as $term ) { + $term = esc_sql( like_escape( $term ) ); $search .= "{$searchand}(($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%'))"; $searchand = ' AND '; } - $term = $wpdb->escape($s); + $term = esc_sql( like_escape( $s ) ); if ( count($search_terms) > 1 && $search_terms[0] != $s ) $search .= " OR ($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%')"; - $posts = $wpdb->get_results( "SELECT ID, post_title, post_status, post_date FROM $wpdb->posts WHERE post_type = '$what' AND $search ORDER BY post_date_gmt DESC LIMIT 50" ); + $posts = $wpdb->get_results( "SELECT ID, post_title, post_status, post_date FROM $wpdb->posts WHERE post_type = '$what' AND post_status IN ('draft', 'publish') AND ($search) ORDER BY post_date_gmt DESC LIMIT 50" ); - if ( ! $posts ) - exit( __('No posts found.') ); + if ( ! $posts ) { + $posttype = get_post_type_object($what); + exit($posttype->labels->not_found); + } - $html = ''; + $html = '

'.__('Title').''.__('Time').''.__('Status').'
'; foreach ( $posts as $post ) { switch ( $post->post_status ) { @@ -1213,7 +1296,7 @@ case 'find_posts': $stat = __('Pending Review'); break; case 'draft' : - $stat = __('Unpublished'); + $stat = __('Draft'); break; } @@ -1236,24 +1319,11 @@ case 'find_posts': )); $x->send(); - break; -case 'lj-importer' : - check_ajax_referer( 'lj-api-import' ); - if ( !current_user_can( 'publish_posts' ) ) - die('-1'); - if ( empty( $_POST['step'] ) ) - die( '-1' ); - define('WP_IMPORTING', true); - include( ABSPATH . 'wp-admin/import/livejournal.php' ); - $result = $lj_api_import->{ 'step' . ( (int) $_POST['step'] ) }(); - if ( is_wp_error( $result ) ) - echo $result->get_error_message(); - die; break; case 'widgets-order' : check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' ); - if ( !current_user_can('switch_themes') ) + if ( !current_user_can('edit_theme_options') ) die('-1'); unset( $_POST['savewidgets'], $_POST['action'] ); @@ -1283,7 +1353,7 @@ case 'widgets-order' : case 'save-widget' : check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' ); - if ( !current_user_can('switch_themes') || !isset($_POST['id_base']) ) + if ( !current_user_can('edit_theme_options') || !isset($_POST['id_base']) ) die('-1'); unset( $_POST['savewidgets'], $_POST['action'] ); @@ -1297,7 +1367,7 @@ case 'save-widget' : $sidebar_id = $_POST['sidebar']; $multi_number = !empty($_POST['multi_number']) ? (int) $_POST['multi_number'] : 0; $settings = isset($_POST['widget-' . $id_base]) && is_array($_POST['widget-' . $id_base]) ? $_POST['widget-' . $id_base] : false; - $error = '

' . __('An error has occured. Please reload the page and try again.') . '

'; + $error = '

' . __('An error has occurred. Please reload the page and try again.') . '

'; $sidebars = wp_get_sidebars_widgets(); $sidebar = isset($sidebars[$sidebar_id]) ? $sidebars[$sidebar_id] : array(); @@ -1348,6 +1418,55 @@ case 'save-widget' : die(); break; +case 'image-editor': + $attachment_id = intval($_POST['postid']); + if ( empty($attachment_id) || !current_user_can('edit_post', $attachment_id) ) + die('-1'); + + check_ajax_referer( "image_editor-$attachment_id" ); + include_once( ABSPATH . 'wp-admin/includes/image-edit.php' ); + + $msg = false; + switch ( $_POST['do'] ) { + case 'save' : + $msg = wp_save_image($attachment_id); + $msg = json_encode($msg); + die($msg); + break; + case 'scale' : + $msg = wp_save_image($attachment_id); + break; + case 'restore' : + $msg = wp_restore_image($attachment_id); + break; + } + + wp_image_editor($attachment_id, $msg); + die(); + break; +case 'set-post-thumbnail': + $post_ID = intval( $_POST['post_id'] ); + if ( !current_user_can( 'edit_post', $post_ID ) ) + die( '-1' ); + $thumbnail_id = intval( $_POST['thumbnail_id'] ); + + check_ajax_referer( "set_post_thumbnail-$post_ID" ); + + if ( $thumbnail_id == '-1' ) { + delete_post_meta( $post_ID, '_thumbnail_id' ); + die( _wp_post_thumbnail_html() ); + } + + if ( set_post_thumbnail( $post_ID, $thumbnail_id ) ) + die( _wp_post_thumbnail_html( $thumbnail_id ) ); + die( '0' ); + break; +case 'date_format' : + die( date_i18n( sanitize_option( 'date_format', $_POST['date'] ) ) ); + break; +case 'time_format' : + die( date_i18n( sanitize_option( 'time_format', $_POST['date'] ) ) ); + break; default : do_action( 'wp_ajax_' . $_POST['action'] ); die('0');

'.__('Title').''.__('Date').''.__('Status').'